Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Ken Yeung / VentureBeat:
WSJ: SEC is investigating whether Yahoo should have disclosed company’s data breaches sooner
Yahoo reportedly under investigation by SEC over data breaches
http://venturebeat.com/2017/01/22/yahoo-reportedly-under-investigation-by-sec-over-data-breaches/
Yahoo is facing an investigation by the U.S. Securities and Exchange Commission relating to its failure to promptly disclose to investors information about the two massive data breaches the company revealed last year.
The Wall Street Journal reports that the SEC requested documents from Yahoo in December over whether the company, which is in the midsts of a $4.8 billion acquisition by Verizon, properly disclosed details about the cyberattacks and if it complied with civil securities laws.
Tomi Engdahl says:
Blockchain’s brilliant approach to cybersecurity
http://venturebeat.com/2017/01/22/blockchains-brilliant-approach-to-cybersecurity/
Hackers can shut down entire networks, tamper with data, lure unwary users into cybertraps, steal and spoof identities, and carry out other devious attacks by leveraging centralized repositories and single points of failure.
Blockchains can increase security on three fronts: blocking identity theft, preventing data tampering, and stopping Denial of Service attacks.
1. Protecting identities
Public Key Infrastructure (PKI) is a popular form of public key cryptography that secures emails, messaging apps, websites, and other forms of communication. However because most implementations of PKI rely on centralized, trusted third party Certificate Authorities (CA)
Publishing keys on a blockchain instead would eliminate the risk of false key propagation and enable applications to verify the identity of the people you are communicating with.
CertCoin is one of the first implementations of blockchain-based PKI.
2. Protecting data integrity
We sign documents and files with private keys so that recipients and users can verify the source of the data they’re handling. And then we go to great lengths to prove that those keys haven’t been tampered with
The blockchain alternative to document signing replaces secrets with transparency, distributing evidence across many blockchain nodes and making it practically impossible to manipulate data without being caught.
3. Protecting critical infrastructure
A massive October DDoS attack taught us all a painful lesson about how easy it has become for hackers to target critical services. By bringing down the single service that provided Domain Name Services (DNS) for major websites, the attackers were able to cut off access to Twitter, Netflix, PayPal, and other services for several hours, yet another manifestation of the failure of centralized infrastructures.
A blockchain approach to storing DNS entries could, according to Coin Center’s Peter Van Valkenburgh, improve security by removing the single target that hackers can attack to compromise the entire system.
Tomi Engdahl says:
Jonathan Stempel / Reuters:
Appeals court upholds verdict barring the US Department of Justice from forcing Microsoft into handing over data on servers outside US — An equally divided federal appeals court refused to reconsider its landmark decision forbidding the U.S. government from forcing Microsoft Corp …
Microsoft victory in overseas email seizure case is upheld
http://www.reuters.com/article/us-microsoft-usa-warrant-idUSKBN1581YQ
An equally divided federal appeals court refused to reconsider its landmark decision forbidding the U.S. government from forcing Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.
In the July decision, Circuit Judge Susan Carney ruled that Microsoft could not be forced to turn over emails sought for a narcotics case, but stored on a server in Dublin, Ireland.
Tomi Engdahl says:
Mike Butcher / TechCrunch:
Cybersecurity firm SentinelOne, specializing in multiple-vector cyber attacks, raises a $70M Series C round led by Redpoint Ventures
SentinelOne raises a $70M C round to tackle multiple-vector cyber attacks
https://techcrunch.com/2017/01/25/sentinelone-raises-a-70m-c-round-to-tackle-multiple-vector-cyber-attacks/
As workforces becomes increasingly mobile with laptops, smartphones and other handheld devices, the potential for vulnerability increases massively. The sophistication of cyber threats and targeted attacks is constantly evolving. SentinelOne is a cyber security player that has concentrated on this new, multiple-vector, attack method, among others.
https://sentinelone.com/
Changing the Security Paradigm
Goodbye AV. Hello NG. Behavioral-based detection and intelligent automation stop the most advanced malware, exploit, and insider attacks in their tracks.
Tomi Engdahl says:
Jane Smith / G Suite Update Alerts:
Gmail to block JavaScript file attachments on February 13; Google says .js files can still be sent using Google Drive and Google Cloud Storage
Gmail will block .js file attachments starting February 13, 2017
http://gsuiteupdates.googleblog.com/2017/01/gmail-will-restrict-js-file-attachments.html
Gmail currently restricts certain file attachments (e.g. .exe, .msc, and .bat) for security reasons, and starting on February 13, 2017, we will not allow .js file attachments as well.
Tomi Engdahl says:
Colin Lecher / The Verge:
Report: Donald Trump is still using his unsecured Android phone to tweet while watching TV in the evenings, despite protests by aides — Donald Trump’s long-held Android phone is a security nightmare for a high-level politician, but according to a report from the New York Times …
Trump is reportedly still using his unsecured Android phone
http://www.theverge.com/2017/1/25/14386524/trump-unsecure-android-phone-report
Donald Trump’s long-held Android phone is a security nightmare for a high-level politician, but according to a report from The New York Times, the newly inaugurated president is still using the device.
“old, unsecured Android phone” — previously reported to be a Samsung device
It’s No Trump Tower, but White House Has ‘Beautiful’ Phones
https://www.nytimes.com/2017/01/25/us/politics/president-trump-white-house.html
Tomi Engdahl says:
Russell Brandom / The Verge:
Facebook adds support for physical USB security keys, including Yubico’s NFC key for Android
You can now use NFC to lock down your Facebook page
A new kind of two-factor authentication
http://www.theverge.com/2017/1/26/14397276/facebook-two-factor-nfc-security-key-account-hack
Today, Facebook announced support for security keys, giving users the chance secure their logins with a physical device. Alongside the standard setup, Facebook also built support for a more experimental NFC login system, the first major deployment of its kind.
Security keys work as part of Facebook’s two-factor authentication system, which adds a second layer of defense in case a user’s password is compromised. Usually that second factor is a string of numbers sent over text or an on-board app, but the security key makes it a physical device, a smart USB drive inserted into the computer whenever you log in. To make it work, you’ll have to buy a device and carry it with you at all times, usually on a keyring, but the end result is easier and faster than waiting for a code over SMS. A number of services already support security keys under the FIDO specification, including Google, Dropbox, and GitHub.
The plot to kill the password
The world’s most powerful companies want you to log in with fingerprints and eyescans
http://www.theverge.com/2014/4/15/5613704/the-plot-to-kill-the-password
Tomi Engdahl says:
Ryan Hurst / Google Online Security Blog:
Google creates Google Trust Services to operate its own Root Certification Authority
The foundation of a more secure web
http://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html
In support of our work to implement HTTPS across all of our products (https://www.google.com/transparencyreport/https/) we have been operating our own subordinate Certificate Authority (GIAG2), issued by a third-party. This has been a key element enabling us to more rapidly handle the SSL/TLS certificate needs of Google products. As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Chrome 56 arrives with 28% faster page reloading, “Not secure” warning for HTTP password and credit card forms — Google has launched Chrome 56 for Windows, Mac, Linux, and Android. Among the additions is a new warning for websites that collect passwords or credit card numbers …
Chrome 56 arrives with warning for HTTP password and credit card webpages, faster page reloading
http://venturebeat.com/2017/01/26/chrome-56-arrives-with-warning-for-http-password-and-credit-card-webpages-faster-page-reloading/
Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification).
The move follows similar actions by Mozilla, which released Firefox 51 earlier this week. Both browser makers plan to mark all HTTP sites as non-secure in the future, with the long-term goal of getting the whole web onto HTTPS.
Tomi Engdahl says:
Fake News Is About to Get Even Scarier than You Ever Dreamed
What we saw in the 2016 election is nothing compared to what we need to prepare for in 2020.
http://www.vanityfair.com/news/2017/01/fake-news-technology
Less than a month after Donald Trump was improbably elected the 45th president of the United States, a strange story began to make its way across social media.
At corporations and universities across the country, incipient technologies appear likely to soon obliterate the line between real and fake. Or, in the simplest of terms, advancements in audio and video technology are becoming so sophisticated that they will be able to replicate real news—real TV broadcasts, for instance, or radio interviews—in unprecedented, and truly indecipherable, ways. One research paper published last year by professors at Stanford University and the University of Erlangen-Nuremberg demonstrated how technologists can record video of someone talking and then change their facial expressions in real time. The professors’ technology could take a news clip of, say, Vladimir Putin, and alter his facial expressions in real time in hard-to-detect ways. In fact, in this video demonstrating the technology, the researchers show how they did manipulate Putin’s facial expressions and responses, among those of other people, too.
Tomi Engdahl says:
New York Times:
Russian media reports say two Russian intel officers who worked in office linked to US election hacking have been charged with treason for providing info to US — WASHINGTON — Ever since American intelligence agencies accused Russia of trying to influence the American election …
Russians Charged With Treason Worked in Office Linked to Election Hacking
https://www.nytimes.com/2017/01/27/world/europe/russia-hacking-us-election.html
Ever since American intelligence agencies accused Russia of trying to influence the American election, there have been questions about the proof they had to support the accusation.
But the news from Moscow may explain how the agencies could be so certain that it was the Russians who hacked the email of Hillary Clinton’s campaign and the Democratic National Committee. Two Russian intelligence officers who worked on cyberoperations and a Russian computer security expert have been arrested and charged with treason for providing information to the United States, according to multiple Russian news reports.
Tomi Engdahl says:
Sebastian Anthony / Ars Technica:
Browser makers express frustration with invasive third-party antivirus software, which can make PCs less secure
It might be time to stop using antivirus
Update your software and OS regularly instead, practice skeptical computing.
https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
Former Firefox developer Robert O’Callahan, now a free agent and safe from the PR tentacles of his corporate overlord, says that antivirus software is terrible, AV vendors are terrible, and that you should uninstall your antivirus software immediately—unless you use Microsoft’s Windows Defender, which is apparently okay.
A couple of months back, Justin Schuh, Google Chrome’s security chief, and indeed one of the world’s top infosec bods, said that antivirus software is “my single biggest impediment to shipping a secure browser.” Further down the thread he explains that meddling AV software delayed Win32 Flash sandboxing “for over a year” and that further sandboxing efforts are still on hold due to AV. The man-in-the-middle nature of antivirus also causes a stream of TLS (transport layer security) errors, says Schuh, which in turn breaks some elements of HTTPS/HSTS.
The problem, from the perspective of the browser makers, is that antivirus software is incredibly invasive.
Furthermore, because of the aforementioned knotweed-style rhizomes of antivirus programs, the AV software itself presents a very large attack surface. As in, without AV installed, a hacker might have to find a vulnerability in the browser or operating system—but if there’s AV present, the hacker can also look for a vulnerability there. This wouldn’t necessarily be a problem if AV makers made secure software, but for the most part they don’t (except for Windows Defender, because Microsoft is “generally competent,” according to O’Callahan).
Back in June last year, Google’s Project Zero found 25 high-severity bugs in Symantec/Norton security products. “These vulnerabilities are as bad as it gets,”
The nail in the coffin, according to O’Callahan, is that software vendors rarely speak out about antivirus issues “because they need cooperation from the AV vendors.”
Antivirus software is so ingrained with Windows users, and synonymous with the concept of “good security,” that software makers have their hands tied. “When your product crashes on startup due to AV interference, users blame your product, not AV,”
Tomi Engdahl says:
Webshell Attacks are a Rising Threat to Networks
Web servers and web applications are often a weak point in an organization’s infrastructure, and malicious actors have always targeted them. They still do.
Alert (TA15-314A)
Compromised Web Servers and Web Shells – Threat Awareness and Guidance
https://www.us-cert.gov/ncas/alerts/TA15-314A
Web shells can be used to obtain unauthorized access and can lead to wider network compromise. This alert outlines the threat and provides prevention, detection, and mitigation strategies.
Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to significant cyber incidents.
Web Shell Description
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts.
A web shell can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python, and Unix shell scripts are also used.
Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities can exist in content management systems (CMS) or web server software.
Web shells are utilized for the following purposes:
To harvest and exfiltrate sensitive data and credentials;
To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;
To use as a relay point to issue commands to hosts inside the network without direct Internet access;
To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence.
Web shells such as China Chopper, WSO, C99 and B374K are frequently chosen by adversaries; however these are just a small number of known used web shells.
Web shells can be delivered through a number of web application exploits or configuration weaknesses including:
Cross-Site Scripting;
SQL Injection;
Vulnerabilities in applications/services (e.g., WordPress or other CMS applications);
File processing vulnerabilities (e.g., upload filtering or assigned permissions);
Remote File Include (RFI) and Local File Include (LFI) vulnerabilities;
Exposed Admin Interfaces (possible areas to find vulnerabilities mentioned above).
Prevention and Mitigation
Installation of a web shell is commonly accomplished through web application vulnerabilities or configuration weaknesses. Therefore, identification and closure of these vulnerabilities is crucial to avoiding potential compromise.
An Introduction to Web-shells – Part 1
http://www.acunetix.com/blog/articles/introduction-web-shells-part-1/
A web-shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. A web-shell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack (this stage is also referred to as post-exploitation).
An attacker can take advantage of common vulnerabilities such as SQL injection, remote file inclusion (RFI), FTP, or even use cross-site scripting (XSS) as part of a social engineering attack in order to upload the malicious script. The common functionality includes but is not limited to shell command execution, code execution, database enumeration and file management.
Tomi Engdahl says:
Ninety-Five Percent of Webshell Attacks Written in PHP
https://securityintelligence.com/ninety-five-percent-of-webshell-attacks-written-in-php/
There’s nothing inherently malicious about a webshell, which is a script that can be uploaded to a web server to enable remote administration of the machine. In the hands of an attacker, however, they are a serious cyberthreat. Advanced persistent threat (APT) groups often use webshells to breach organizations.
Webshell Attacks Surging
Earlier this year, we reported on two notable upticks in webshell attacks: C99 Shell and b374k. This activity intrigued our analysts, warranting further investigation.
Got WordPress? PHP C99 Webshell Attacks Increasing
https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/
Tomi Engdahl says:
Does Trump Executive Order Threaten EU/US Business? Probably Not.
http://www.securityweek.com/does-trump-executive-order-threaten-euus-business-probably-not
U.S. President Donald Trump’s executive order titled ‘Enhancing Public Safety in the Interior of the United States’ appears to threaten the future of the EU/US Privacy Shield, but that may not be the case.
Privacy Shield is the agreement that allows US organizations to store personal data of EU citizens on servers in the US. Without it, US companies trading with Europe will almost certainly and automatically be in breach of the General Data Protection Regulation (GDPR).
The European Commission seems to be optimistic. In a statement, it says, “The US Privacy Act has never offered data protection rights to Europeans… [We] are following closely any changes in the U.S. that might have an effect on European’s data protection rights.”
But other European politicians are more concerned.
The stakes are high. If Privacy Shield is revoked, then any US organization using it to allow the removal of European PII to the US will immediately be contravening European law. In the most extreme interpretation, this would mean that Facebook, Google, Microsoft and a host of commercial enterprises, around 1500, would have to cease European operations or risk GDPR fines.
“The Privacy Shield agreement,” wrote the WSJ this morning, “which replaced the Safe Harbor data-sharing pact that was struck down in October 2015 by Europe’s top court, may no longer apply since the executive order was signed on Monday.”
Tomi Engdahl says:
Facebook Offers FIDO-based Authentication Option
http://www.securityweek.com/facebook-offers-fido-based-authentication-option
Facebook is adding support for a FIDO-based Universal 2nd Factor (U2F) authentication key to its multi-factor authentication process. This does not replace Facebook’s existing SMS-based second-factor option, but adds a more secure alternative for the security-conscious user.
Passwords have long been considered a security problem. The password theory is good; but is consistently abused by both consumers and some websites. Consumers often choose weak passwords, and even more frequently re-use passwords across multiple sites. Websites do not all store their passwords securely: sometimes in cleartext and sometimes with poor or compromised hashing algorithms. The effect is that regardless of the security in place at any one account — such as Facebook — accounts can still be compromised via legitimate user credentials stolen from elsewhere.
Attempts to solve this problem have led to the evolution of multi-factor authentication; with an additional SMS-delivered one-time-code being the most popular.
NIST recently declared that same-band SMS 2FA is no longer considered to be secure.
The new authentication key avoids these issues and simultaneously increases security. The second factor is held within the USB key itself, so there is nothing for the user to remember or type in.
Secondly, the key is interoperable with any account that supports U2F — such as Google, Salesforce and Dropbox. This means that any user who already has a U2F key can simply add the details to Facebook’s login approvals option and use the same key.
Tomi Engdahl says:
Android VPNs Introduce Security, Privacy Risks: Study
http://www.securityweek.com/android-vpns-introduce-security-privacy-risks-study
Researchers have analyzed hundreds of virtual private network (VPN) applications for Android and determined that many of them introduce serious privacy and security risks.
Tomi Engdahl says:
Americans Distrustful After Hacking Epidemic: Survey
http://www.securityweek.com/americans-distrustful-after-hacking-epidemic-survey
Washington – Nearly two-thirds of Americans have experienced some kind of data theft or fraud, leaving many mistrustful of institutions charged with safeguarding their information, a poll showed Wednesday.
The Pew Research Center survey found 41 percent of Americans have encountered fraudulent charges on their credit cards, and 35 percent had sensitive information like an account number compromised.
Smaller percentages said their email or social media accounts had been compromised or that someone had impersonated them in order to file fraudulent tax returns.
Taken together, the survey found 64 percent said they had some form of personal data stolen or compromised.
Tomi Engdahl says:
OpenSSL Patches Four Vulnerabilities
http://www.securityweek.com/openssl-patches-four-vulnerabilities
The OpenSSL Project announced on Thursday the availability of OpenSSL versions 1.1.0d and 1.0.2k, which address a total of four low and moderate severity vulnerabilities.
One of the flaws, tracked as CVE-2017-3731, allows an attacker to trigger an out-of-bounds read using a truncated packet and crash an SSL/TLS server or client running on a 32-bit host.
Currently, the only supported versions of OpenSSL are 1.0.2 and 1.1.0. Version 1.0.1 no longer receives security updates since January 1.
Tomi Engdahl says:
‘Perfect Cyber Storm’ Threatens Europe, Report Says
http://www.securityweek.com/perfect-cyber-storm-threatens-europe-report-says
Intensifying Threat Climate and Regulatory Changes are Fundamental Challenges Facing the European Union
A perfect storm is threatening, and ‘cyber storm clouds are gathering over Europe on three fronts’. Those fronts are a dramatically intensifying threat landscape; a profoundly changing regulatory landscape; and the need for significantly more work from organizations to confront the combined challenge.
The first ‘storm cloud front’ in FireEye’s perfect storm metaphor is the intensifying threat landscape.
“Hackers and purportedly nation states,”
This will follow the arrival of the new European General Protection Regulation (GDPR). Under existing European data protection laws there is little requirement for European organizations to make public breach notifications, and they tend not to. This will change with GDPR when notifications of personal data loss will be required.
GDPR places far-reaching requirements on the storage and protection of European personal data that go beyond just security.
GDPR is the second front in Europe’s perfect storm described by FireEye. But GDPR doesn’t just affect Europe — it affects any organization anywhere in the world that does business in Europe and collects European personal data.
FireEye’s third front claims a general lack of preparedness against the first two.
The goal of the paper, according to FireEye’s Tony Cole, is to “make the EU community more aware of emerging cyber threat storm clouds and encourage organizations to prioritize cyber defense by partnering with experts in industry and government.”
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-world-eco-forum.pdf
Tomi Engdahl says:
Clarence Williams / Washington Post:
123 of 187 of Washington DC police CCTV network video recorders were infected with ransomware, unable to record between January 12 and 15 — Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump’s inauguration …
Hackers hit D.C. police closed-circuit camera network, city officials disclose
https://www.washingtonpost.com/local/public-safety/hackers-hit-dc-police-closed-circuit-camera-network-city-officials-disclose/2017/01/27/d285a4a4-e4f5-11e6-ba11-63c4b4fb5a63_story.html?utm_term=.fa61736a8a28
Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump’s inauguration, forcing major citywide reinstallation efforts, according to the police and the city’s technology office.
City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday.
Tomi Engdahl says:
Kate Conger / TechCrunch:
Facebook to begin a limited trial of Delegated Recovery, a system for recovering third party accounts that aims to obviate email’s role in that process — Getting locked out of your account sucks. Almost everyone has experienced the frustration of forgetting a password …
Facebook challenges email for control of your online identity
https://techcrunch.com/2017/01/30/facebook-challenges-email-for-control-of-your-online-identity/
Getting locked out of your account sucks. Almost everyone has experienced the frustration of forgetting a password, losing the phone on which they receive two-factor authentication codes, or jumbling the answer to a security question.
But as exasperating as it is to lose access to your account, none of the widely-available measures for account recovery are very secure. Major breaches like the recently-disclosed Yahoo hacks often include not only passwords but also answers to security questions, which hackers can recycle across other sites to compromise your accounts. Many sites will respond to a lost password report by sending a recovery link to the user’s email, which could itself be compromised.
Facebook wants to fix the process of account recovery — and replace email as the hub of online identity management in the process.
Facebook security engineer Brad Hill announced today at the USENIX Enigma conference that his company is launching an account recovery feature for other websites called Delegated Recovery. Facebook will let users set up encrypted recovery tokens for sites like Github, and if a user ever loses access to her Github account, she will send the stored token from her Facebook profile back to Github, proving her identity and unlocking her account.
“No matter what kind of site you are, you have to deal with the issue that someone will lose their password or their token,” Hill told TechCrunch, pointing out some of the flaws with SMS two-factor authentication and password reset emails. “We can get you back into your account even if you drop your phone off the boat.”
Tomi Engdahl says:
Corin Faife / CoinDesk:
Cisco, Foxconn, Bosch, Gemalto, blockchain startups, and others form an alliance to develop blockchain-based security protocol for IoT devices
Bosch, Cisco, Gemalto and More: Tech Giants Team Up For Blockchain-IoT
http://www.coindesk.com/bosch-cisco-gemalto-and-more-tech-giants-team-for-blockchain-iot/
The Internet of Things (IoT) – the vast web of connected devices which is becoming a fundamental part of the technological infrastructure that surrounds us – brings both huge potential and great risk.
But as a consequence, every connected device is another attack surface for a hacker to target, and significant concerns have been expressed about the growing number of IoT devices which have been weaponised into botnets or used as surveillance tools.
Evidence of these high-profile breaches means that attempts to increase trust and security between IoT devices are crucial – so it’s big news that a group of Fortune 500 companies from the hardware and software industries is joining with a team of blockchain startups to develop a protocol that will connect the dots between IoT devices and blockchain technology.
“The barcode was a simple and unique system that led to huge improvements in the retail industry,” Orr said. “Unfortunately the system was not secure, so you have trillions of dollars of counterfeiting today … Once we have a secure system of identity that’s open and interoperable, I think the implications will be as big as the barcode over 10 to 20 years.”
Tomi Engdahl says:
Responsible Disclosure – Critical for Security, Critical for Intelligence
http://www.securityweek.com/responsible-disclosure-critical-security-critical-intelligence
Not Adhering to Responsible Disclosure has the Potential to Amplify the Threats Posed by Certain Vulnerabilities and Incidents
Serious implications for safety and security
First and foremost, not adhering to responsible disclosure has the potential to amplify the threats posed by certain vulnerabilities and incidents. By publicly exposing a zero-day vulnerability without giving the affected company sufficient time to address it, you also expose the vulnerability to threat actors who could potentially take advantage of it before a patch becomes available. And given that a patch may not always be made available immediately, it’s even more crucial that knowledge of the vulnerability remain as restricted as possible from those with the potential to abuse it.
Even in certain circumstances where knowledge of a vulnerability has already fallen into the wrong hands, public disclosure can be detrimental.
The consequences of victim-shaming
Aside from the security and safety implications of not adhering to responsible disclosure, such practices facilitate victim-shaming — to which numerous negative, widespread implications are inherent. First, victim-shaming can be a PR nightmare for the affected organization. An abundance of negative press and countless inquiries typically means that the organization may need to waste precious time and resources assuaging fears and responding — often without clear answers — to the media, customers, stakeholders, shareholders, and others. In many cases, bad PR of this nature can sensationalize the threat, vulnerability, or incident, leading to large-scale public overreaction with the potential to ripple outward even further and take more time and resources away from the affected organization.
Intelligent disclosure
Although security researchers have been key proponents of responsible disclosure for years, established practices and protocol are just beginning to gain traction among intelligence vendors.
Often, responsible disclosure means announcing the key facts surrounding an incident — typically, what others need to know in order to protect themselves — without disclosing all of the unnecessary specifics. For instance, we may announce the ways in which a large healthcare organization on the west coast became the victim of ransomware, indicators of the specific strain of ransomware, and what other organizations can do to avoid a similar fate.
Under certain circumstances where our team feels that withholding the information could raise others’ risk levels substantially but will not exacerbate the threat, we do release it to the public — but in an informative way that answers all questions, explains the risk accurately, outlines any actions those affected may need to take.
Tomi Engdahl says:
What’s Ahead for ICS Cyber Security in 2017
http://www.securityweek.com/whats-ahead-ics-cyber-security-2017
1. Growing Threat of ICS Malware Appearing in the Wild
2. Cyber-Physical Warfare will be Waged
3. ICS Hacktivism will Become More Prominent
4. Cyber Extortion will Target Plants
5. Adversaries will Develop “Red Button” Capability
6. More Physical Infrastructure will show up when scanning the Internet
Summary
One of the biggest concerns, if these industrial threat predictions come true, is the likelihood of widespread collateral damage. Since they target specific ICS technologies, most of which are used in a wide range of industries, an attack unleashed in the wild is likely to impact organizations that were not the intended target.
Tomi Engdahl says:
Cyber Threat Intelligence Shows Majority of Cybercrime is NOT Sophisticated
http://www.securityweek.com/cyber-threat-intelligence-shows-majority-cybercrime-not-sophisticated
It’s a new year and while some things change, some things stay the same (or similar). There’s lots of FUD about the sophisticated cyber attacks that are multi-threaded and obfuscated. Certainly there are attacks that fall into this category, but if you look at all of the cybercrime activity from the past year, it’s clear that the majority of threats do not have the level of sophistication that is often talked about.
Rather, what cyber threat intelligence is showing us is that most threats simply exploit a series of well-documented vulnerabilities and other weak points to move along the path of least resistance – and the most profit.
Tomi Engdahl says:
Confidence Lost
http://www.securityweek.com/confidence-lost
Those were days when life was simpler, maybe slower . . . but maybe also more efficient, safer in ways that we’ve ceased to realize.
Today, we expect ultimate convenience. But at what cost? More and more, I’m left wondering whether modern conveniences—grâce à today’s advanced technologies—are truly worth the risk. Hack after hack, I feel it eroding. And by it, I mean my confidence in our institutions—government, banking, healthcare—and their ability to protect us and themselves.
The conveniences, benefits, and efficiencies of interconnectivity are being undermined by rampant online thievery and data manipulation. Aren’t you getting tired of hacker this and hacker that? Ever think maybe we should all just get offline and bring back the No. 2 pencil?
How about online systems and IoT devices that are built to be more secure from the get go? Or maybe a security automation process that can help with protecting the multitude of devices coming online? Manual intervention, it seems, is really no longer an option. So 2016.
Tomi Engdahl says:
Google Launches Its Own Root Certificate Authority
http://www.securityweek.com/google-launches-its-own-root-certificate-authority
Google announced on Thursday the expansion of its certificate authority (CA) efforts with the launch of a root CA that will allow the company to independently handle its certificate needs.
The company has been on the frontline of efforts to make the Internet safer by getting all web services to use HTTPS, including by boosting secure pages in search results and by tracking the use of HTTPS on the world’s top 100 websites.
Tomi Engdahl says:
Hiding in Plain Sight: Why Your Organization Can’t Rely on Security by Obscurity
http://www.securityweek.com/hiding-plain-sight-why-your-organization-cant-rely-security-obscurity
Attackers Don’t Examine Market Size When Deciding Whether or Not to Target an Organization or a Person
When I speak to any audience about security, including potential customers of course, I tend to focus on concepts and ideas, rather than specific products and services. Choosing the components of a solution is important, but can only be done once an approach is well understood. This comes much later in the discussion. Not surprisingly, most people prefer this approach, particularly when they are able to map between the concepts and ideas and the specific problems and challenges they face.
As you can imagine, one of the concepts I often discuss is the identification, prioritization, and mitigation of risk.
Some people, organizations, and boards seem to think that if their organization is under a certain threshold (either employee-wise or revenue-wise), then the organization can simply fly under the attacker radar. This line of reasoning is reminiscent of the old “security by obscurity” way of thinking. As experienced security professionals know, this is a dangerous way of thinking that generally winds up producing disastrous results.
Attackers have shown time and time again that they care about one thing and one thing only: the location of the prize they are after. It doesn’t matter if that prize is money, information, disruption, or any of the other ends that motivate attackers. If an organization has what the attackers are after, they will go after it. It doesn’t matter if the organization has 10 employees or 10,000 employees.
Unfortunately, there is really nowhere to hide in the virtual world.
Attackers have shown tremendous creativity and resourcefulness when it comes to gaining access to the information they are after, regardless of the language it is written in and how many people speak that language.
No matter how small the market, there will still be people, organizations, and information that attackers will want to target.
to help educate management, executives, the board, and others of the need to approach security strategically, regardless of organization size, geographic location, spoken language, or market size.
Tomi Engdahl says:
Fears Grow over Jihadist Cyber Threat
http://www.securityweek.com/fears-grow-over-jihadist-cyber-threat
Lille, France – Jihadists have yet to shut down a power grid, paralyze a transport network or banking system or take over a key industrial site from afar, but experts say the threat of such a cyber attack should be taken seriously.
Analysts fear that while extremist groups may not have the necessary skills themselves, they could hire someone else to wreak havoc.
“Digital attacks with major impacts are unlikely in the short term,” said Guillaume Poupard, head of France’s digital security service ANSSI, speaking to AFP at an international cyber security conference in Lille, France.
“However, that could change very fast. Our real fear, and we may already be there, is that they will use mercenaries, people who will do anything for money,” Poupard said.
“Even if they don’t have access to the capabilities, they can simply buy it on the darknet (a hidden internet realm of encrypted websites), where there is an enormous trade in cyber criminal technology,” Wainwright said at a panel discussion on “Terrorism in the Digital Age”.
“That said, attacking the critical national infrastructures at least of most countries is… not easily done, and it’s something that is not as immediate and showy as firing automatic weapons in a theatre or in public,”
Tomi Engdahl says:
The Application Security Testing Conundrum
http://www.securityweek.com/application-security-testing-conundrum
It is my humble opinion that we have allowed our daily rush into an increasingly digital world to negatively affect our ability to address challenges. We look at the world in the sharp, square and discreet lens of digital and ignore the smooth and contiguous thinking of analog.
This phenomenon can be readily seen in the world of software security, where there is a preponderance of binary sounding decisions that may have an analog solution. Static application security testing or dynamic application security testing? On premises or managed services? The answer may simply be “yes” with lots of shading based on each organization’s needs.
The funny thing about the rush to apply digital thinking to software security is that at its heart, software security is fighting a very analog pursuit. Yes, software is a digital manifestation, but identifying and exploiting flaws and bugs in software is a highly creative and largely human endeavor. In other words, it is a very analog exercise. Logic would say that to stop an analog exercise, analog thinking might be in order.
Tomi Engdahl says:
The State of Malware: 1 Billion Samples Under the Microscope
http://www.securityweek.com/state-malware-1-billion-samples-under-microscope
2016 was not a good year for information security. The inexorable rise of ransomware, major breach reports, the emergence of massive IoT-based DDoS attacks, the rise of the Kovter malware family, and the arrival of alleged international political interference all combined to make 2016 an exceptional year. Now a new state of malware analysis puts figures behind the malware element of 2016 threats.
Anti-virus firm Malwarebytes examined almost 1 billion malware instances from June to November 2016. Data was drawn from nearly 100 million Windows and Android devices in more than 200 countries, together with additional data from its own honeypots. The ensuing report (PDF) looked at six threat categories: ransomware, ad fraud malware, Android malware, botnets, banking trojans, and adware.
https://www.malwarebytes.com/pdf/white-papers/stateofmalware.pdf
Tomi Engdahl says:
EMV Payment Cards: Salvation or Failure?
http://www.securityweek.com/emv-payment-cards-salvation-or-failure
EMV Does Not Address More Sophisticated Cyber-attacks That Target Backend Systems Which Contain Card Holder Data
October 2016 marked the one-year anniversary of the implementation of the Payment Card Industry (PCI) “EMV” mandate. However, a steady stream of data breaches impacting millions of shoppers and their credit card information including last year’s hack of Oracle’s MICROS Point-of-Sale Division, begs the question: “Is EMV really helping to reduce credit card fraud and minimize the risk of data exfiltration?”
In the United States, the EMV standard took effect in October 2015. After that deadline, retailers and other merchants became financially liable for any counterfeit fraud losses associated with debit and credit cards that are present at the time of the transaction. A similar shift in fraud liability is set to occur at ATMs and gas pumps in October 2020.
Tomi Engdahl says:
Why Segmentation-in-Depth is Foundational Cyber Security
http://www.securityweek.com/why-segmentation-depth-foundational-cyber-security
A True Segmentation-in-Depth Architecture Will Harness and Coordinate Key Enforcement Points
Network segmentation was born out of the need to break large networks into smaller ones. While there are clear security benefits gained through network segmentation, the principal goal of creating subnets is to improve performance, avoiding broadcast storms and latency stimulated by our insatiable requirement for bandwidth. In this rush to connect everything, the networking industry focused on “can” versus “should.” The TCP/IP protocol was funded by folks at the Defense Advanced Research Project Agency (DARPA) to make sure packets can be routed, even if parts of the networking infrastructure were taken out of commission by a war. Networking’s goal is can: do or die, we will get packet from point a to point b.
Security segmentation is different. Security professionals take a more nuanced view of communications, focusing on whether applications and users should be allowed to communicate with each other.
The more connected an organization or a nation is to the Internet, the more vulnerable it has become. The less connected it is, the less competitive it might be in a globalized economy. The challenge is finding the balance between can and should.
Organizations must take a new approach, build a new foundation for data center and cloud security that supports both the innovation of new applications and compute capabilities but offers critical protection against the lateral spread of attacks advanced by connectivity. The foundation of this new approach needs to include a “segmentation-in-depth” architecture: a protection strategy that reduces — if not eliminate – unauthorized communications. The heart of segmentation-in-depth is the linkage and coordination of multiple enforcement points that follow a prescriptive security policy.
Security segmentation can be delivered across the data center and cloud, and with multiple enforcement points. Places in the network are ideal for most coarse grain segmentation (i.e., separating two environments), while finer grain segmentation (i.e., microsegmentation) is best delivered closer to the data, closer to the workload. Finally, a segmentation-in-depth strategy must consider whether an organization owns/controls the infrastructure applications run on.
Tomi Engdahl says:
AP News:
3 arrests over breach claimed by ‘Phineas Fisher’ hacker
https://tinyurl.com/hbjdcxf
MADRID (AP) — Spanish police have arrested three people over a data breach linked to a series of dramatic intrusions at European spy software companies claimed by an online Robin Hood-type figure known as Phineas Fisher.
The arrests sent rumors flying because the Catalan breach had previously been claimed by Phineas Fisher, a hacker who first won notoriety in 2014 for publishing data from Britain’s Gamma Group — responsible at the time for spyware known as FinFisher. The hacker or group of hackers cemented their reputation by claiming responsibility for a spectacular breach at Italy’s Hacking Team in 2015.
Tomi Engdahl says:
Google Vulnerability Reward Program
https://1.bp.blogspot.com/-dSLuriKp5vE/WI7PHcSiEGI/AAAAAAAAAZ0/w5YE5vAlEAcl13N1SE6LXQuiq3nUUX0VwCLcB/s1600/VRP%2B2016.jpg
Tomi Engdahl says:
Trump hits control-Z on cybersecurity order: No reason given for delay
Follows briefings heavy on blame, light on Russia
https://www.theregister.co.uk/2017/01/31/trump_delays_cybersecurity_signing/
US President Donald Trump unexpectedly cancelled the signing of a new executive order on cybersecurity Tuesday, following a day of briefings by the White House on its contents.
The order – a draft of which was leaked and we reviewed last week – was due to be signed at 3:15pm Eastern time, but was cancelled at the last minute with no explanation given.
Tomi Engdahl says:
Cyber-spying, leaking to meddle in foreign politics is the New Normal
Ah, kids today! Nope, nope, this is governments we’re talking about
https://www.theregister.co.uk/2017/02/01/nation_state_election_hacking/
he allegations that computer hackers affected the outcome of the 2016 US presidential election have cast a long shadow and might appear to be unprecedented.
But in fact they are not. Computer hacking has also featured as an issue in previous elections, in the US and elsewhere, albeit in much more peripheral roles.
China, rather than Russia, for example, was suspected in the 2008 attacks both the McCain and Obama US presidential campaigns. The big difference was that, unlike in 2016, there was no attempt to release the compromised data.
Communications lifted after hacking the Democratic National Committee (DNC) network and compromised emails from Clinton campaign chair John Podesta were leaked during the 2016 US election campaign in what amounted to the weaponisation of stolen political intelligence.
Lone wolves and hackers for hire
Russia isn’t the only potential adversary to worry about. Lone wolf actors (such as the original Guccifer, Marcel Lazăr Lehel), Islamic activists, and other politically motivated actors or groups could also be sources of concern. Information security attacks could be made against political organisations, government institutions, and political operatives.
Tomi Engdahl says:
You’re taking the p… Linux encryption app Cryptkeeper has universal password: ‘p’
Give ‘p’s a chance… no?
https://www.theregister.co.uk/2017/01/31/cryptkeeper_cooked/
Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: “p”.
The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem’s command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated ‘p’ keypress – instead, it sets passwords for folders to just that letter.
Cryptkeeper’s developer appears to have abandoned the project. Luckily, it’s not used by that many people – although it makes the bug no less tragically hilarious.
Tomi Engdahl says:
Google Hands Over $3M in Bug Bounties as Payouts Soar For New Android Flaws
https://tech.slashdot.org/story/17/01/31/1544205/google-hands-over-3m-in-bug-bounties-as-payouts-soar-for-new-android-flaws
Payouts in 2016 take Google’s total payments under its bug bounty schemes to $9m since it started rewarding researchers in 2010. In 2015 it paid researchers $2m
Google hands over $3m in bug bounties as payouts soar for new Android flaws
In the first full year of Google paying out for Android bugs, researchers netted nearly $1m.
http://www.zdnet.com/article/google-hands-over-3m-in-bug-bounties-as-payouts-soar-for-new-android-flaws/
Google paid researchers over $3m last year for their contributions to its vulnerability rewards programs.
It’s not uncommon for tech companies to run bug bounties these days, but while many rely on third-party platforms, Google has been responsible for verifying bugs for over six years now.
Occasionally, Google expands its program to cover new products, such as Android, and new devices such as OnHub and Nest. Facebook, Microsoft, and most recently Apple are also running their own bug bounties.
Last year was the first full year Android was covered by Google’s bug bounty, which earned researchers nearly $1m for finding and reporting issues to the Android security team.
The Android bug bounty launched just ahead of Google’s monthly Android security bulletins, which encourages handset makers to deliver patches regularly to devices and allows end-users to see what date their phones are patched to.
Tomi Engdahl says:
Czech foreign minister: Emails hacked by foreign state
https://goo.gl/xdyubG
PRAGUE (AP) — The Czech Republic’s foreign minister said Tuesday that his email account and the accounts of dozens of ministry officials have been successfully hacked.
The January cyberattack was sophisticated, and experts believe it was done by a foreign state, Foreign Minister Lubomir Zaoralek said.
Tomi Engdahl says:
Anonymous Group Reveals Direct Phone Numbers For White House Staff
http://gothamist.com/2017/01/31/white_house_phone_numbers.php
Once upon a time, if you had a problem with something the President was doing, you could call up the White House’s public comments line and complain to a staffer about it. Whether or not that grievance got heard is up for debate, but at least you could try. Of course, President Trump doesn’t want to hear your SAD LOSER WHINING, so that public comments line got shut down
The group hopes that people will use the resource to let staffers know how they feel about certain policies to “demand fairness and transparency in the policy making process.” They recommend you call as many numbers as you can until you reach someone.
Tomi Engdahl says:
Spam Rises Amid Lower Exploit Kit Activity in 2016: Cisco
http://www.securityweek.com/spam-rises-amid-lower-exploit-kit-activity-2016-cisco
Spam messages accounted for 65% of overall email in 2016, with 8-10% of spam considered malicious, a recent report from Cisco reveals.
According to the Cisco 2017 Annual Cybersecurity Report (PDF), activity of the Necurs botnet, which has been distributing the Locky ransomware and Dridex banking Trojan, is driving spam volume up. In fact, data from the Composite Blocking List (CBL), a DNS-based “blackhole list” of suspected spam-sending computer infections, shows that spam volume is close to the record-high levels seen in 2010.
Tomi Engdahl says:
Insider Recruitment Growing on Dark Web: Report
http://www.securityweek.com/insider-recruitment-growing-dark-web-report
Cybercriminals are increasingly using dark web forums to recruit employees and contractors willing to help them achieve their goals, according to a report published on Tuesday by security firms IntSights and RedOwl.
The anonymity provided by the dark web has attracted many people offering their services as insiders. I
Tomi Engdahl says:
Matt Weinberger / Business Insider:
GitLab says it lost six hours of data after human error took the service down, but claims the affected database doesn’t include users’ code — GitLab, a startup with $25 million in funding, is having a “very bad day,” as Interim VP of Marketing Tim Anglade put it to Business Insider …
A startup with $25 million in funding is in crisis mode because an employee deleted the wrong files
http://nordic.businessinsider.com/gitlab-outage-due-to-human-error-2017-2?op=1&r=US&IR=T
GitLab, a startup with $25 million in funding, is having a “very bad day,” as Interim VP of Marketing Tim Anglade put it to Business Insider, after a series of human errors caused the service to go down overnight.
Basically, GitLab provides a virtual workspace for programmers to work on their code together, merging individual projects into a cohesive whole. It’s a fast-growing alternative to the leading $2 billion GitHub, the high-profile Silicon Valley startup.
The bad day started on Tuesday evening, when a GitLab system administrator tried to fix a slowdown on the site by clearing out the backup database and restarting the copying process. Unfortunately, the admin accidentally typed the command to delete the primary database instead, according to a blog entry.
GitLab.com Database Incident
https://about.gitlab.com/2017/02/01/gitlab-dot-com-database-incident/
Yesterday we had a serious incident with one of our databases. We lost 6 hours of database data (issues, merge requests, users, comments, snippets, etc.) for GitLab.com.
Tomi Engdahl says:
Stephanie Condon / ZDNet:
HPE acquires behavioral security analytics firm Niara
HPE acquires behavioral security analytics firm Niara
http://www.zdnet.com/article/hpe-acquires-behavioral-security-analytics-firm-niara/
Niara’s behavior analytics software will be integrated with HPE Aruba’s ClearPass network security portfolio.
Tomi Engdahl says:
Rethinking Toxic Data in Light of GDPR
http://www.securityweek.com/rethinking-toxic-data-light-gdpr
Toxic data is sensitive information that you would rather not retain, but must for the sake of business operations.
Like chemicals used in manufacturing, toxic data is a necessary ingredient for a desired outcome. Yet it must be handled in a way that eliminates unintended exposure.
Some define toxic data as information that has already been lost and caused damage to the organization that was responsible for it. Examples include the loss of credit card information by a retail organization, illegal downloads of a motion picture, or theft of proprietary designs from a manufacturer. Others have warned that “calling data a ‘toxic asset’ sensationalizes the data security conversation into alarmist territory.”
The purpose of defining data as toxic is to call attention to the need to enhance the data protection around it. So the idea that the data isn’t toxic until it is lost is an inadequate way of categorizing it. While the word “toxic” has an alarmist bend to it, the evolving regulatory landscape provides a new reason to be alarmed.
Tomi Engdahl says:
Passwords Are Not Dead; There Are 90 Billion of Them, Report Says
http://www.securityweek.com/passwords-are-not-dead-there-are-90-billion-them-report-says
The Total Number of Passwords Will Likely Grow from Approximately 90 Billion Today to 300 Billion by 2020, Report Says
There are 90 billion instances of something-you-know (that is, some flavor of the password mechanism) being used around the globe as the primary form of protecting cyber secrets today. This is a huge attack landscape that is frequently broken; but despite repeated claims that the password is dead — for example, by Bill Gates in 2004, by IBM in 2011 and by Google in 2013 — passwords show no sign of going away.
This is the conclusion of a new research report (PDF) from Cybersecurity Ventures and Thycotic. Not only is the password here to stay for the foreseeable future, its use will increase by threefold to around 300 billion instances by 2020. “Passwords are absolutely not dead — they are not even declining — and there is currently no technology that is replacing them,” explains Thycotic’s Joseph Carson, co-author of the report. “The current rate of growth is significant and the threat landscape for passwords will, by 2020, be three times what it currently is.”
That growth will be fueled by more people coming online, by more people using social media logons and generating ‘hidden’ passwords in the process, and perhaps above all by the internet of things.
One of the problems is that there is little consistency in either recommendations or options. For example, in September 2015 the UK’s GCHQ issued password guidance that included, “Regular password changing harms rather than improves security, so avoid placing this burden on users.”
“GCHQ’s recommendations are good in one sense,” said Carson, “but they differ from Australia’s recommendations, they differ from security researchers’ recommendations, and in the end, they just add to the global inconsistency. We really need a global collective approach”
The World Will Need to Protect 300 Billion Passwords By 2020
https://thycotic.com/wp-content/uploads/2013/03/Cybersecurity-Ventures-Thycotic_Password-Protection.pdf
As the total universe of passwords will likely grow from approximately 90 billion today to 300
billion by 2020, organizations across the world face a massively growing cyber security risk from hacked or compromised user and privileged accounts, according to the latest research by Cybersecurity Ventures.
Tomi Engdahl says:
Fear not, Europe’s Privacy Shield is Trump-proof – ex-FTC bigwig
President’s executive order causes jitters, but data agreement became law today
https://www.theregister.co.uk/2017/02/01/former_ftc_com_brill_says_privacy_shield_not_impacted/
The transatlantic Privacy Shield data transfer agreement is not at risk from Trump’s executive actions, former FTC Commissioner Julie Brill has promised.
In an article on her law firm’s blog, Brill notes that the recent executive order (EO) from the Oval Office, which expressly limited privacy rights to US citizens only, does not impact the critical agreement between the European Union and the United States.
How come? Three reasons:
The Privacy Act applies only to government databases, whereas the Privacy Shield covers corporate databases.
No presidential Executive Order can override existing laws written by Congress – and Congress has already approved the Judicial Redress Act that grants EU citizens the right to use the US courts in the case of misuse of data.
The other mechanism set up to make the Privacy Shield work legally – an Ombudsman that will look into any requests from Europe about access to data by the US government – remains in place.
http://www.hldataprotection.com/2017/01/articles/international-eu-privacy/trumps-executive-order-does-not-impact-u-s-privacy-shield-commitments
Tomi Engdahl says:
Everything Is Data, Data Is Everything
http://www.linuxjournal.com/content/linux-journal-february-2017?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
It doesn’t take more than a glance at the current headlines to see data security is a vital part of almost everything we do. Whether it’s concern over election hacking or user accounts being publicized after a website compromise, our data integrity is more important than ever. Although there’s little we can do individually to stop hackers from attacking websites we don’t personally control, we always can be more conscious of how we manage our data and credentials for our own accounts.
This issue certainly has a lot of security-related content, which is great if you live in the current data-centric world.